cryptpad_root = "/var/lib/nginx/cryptpad";
in
{
-services.cryptpad = {
- enable = true;
- # DOC: https://github.com/xwiki-labs/cryptpad/blob/master/config/config.example.js
- configFile = pkgs.writeText "config.js" ''
- module.exports = {
- httpUnsafeOrigin: 'https://${main_domain}/',
- httpSafeOrigin: "https://${sandbox_domain}/",
- httpAddress: '::1',
- httpPort: 3100,
- httpSafePort: 3101,
- maxWorkers: 1,
-
- /* =====================
- * Admin
- * ===================== */
- adminKeys: [
- "https://cryptpad.sourcephile.fr/user/#/1/julm/s9y2aE8C5INMZSrR2yQbWBNcGpB8nSLZGFVhGHE8Nn8=",
- ],
- // supportMailboxPublicKey: "",
-
- removeDonateButton: true,
- disableAnonymousStore: true,
- disableCrowdfundingMessages: true,
- adminEmail: 'root+cryptpad@sourcephile.fr',
- blockDailyCheck: true,
- defaultStorageLimit: 1024 * 1024 * 1024,
-
- /* =====================
- * STORAGE
- * ===================== */
- //inactiveTime: 90, // days
- //archiveRetentionTime: 15,
- maxUploadSize: 256 * 1024 * 1024,
-
- /*
- customLimits: {
- "https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=": {
- limit: 20 * 1024 * 1024 * 1024,
- plan: 'insider',
- note: 'storage space donated by my.awesome.website'
+ services.cryptpad = {
+ enable = true;
+ # DOC: https://github.com/xwiki-labs/cryptpad/blob/master/config/config.example.js
+ configFile = pkgs.writeText "config.js" ''
+ module.exports = {
+ httpUnsafeOrigin: 'https://${main_domain}/',
+ httpSafeOrigin: "https://${sandbox_domain}/",
+ httpAddress: '::1',
+ httpPort: 3100,
+ httpSafePort: 3101,
+ maxWorkers: 1,
+
+ /* =====================
+ * Admin
+ * ===================== */
+ adminKeys: [
+ "https://cryptpad.sourcephile.fr/user/#/1/julm/s9y2aE8C5INMZSrR2yQbWBNcGpB8nSLZGFVhGHE8Nn8=",
+ ],
+ // supportMailboxPublicKey: "",
+
+ removeDonateButton: true,
+ disableAnonymousStore: true,
+ disableCrowdfundingMessages: true,
+ adminEmail: 'root+cryptpad@sourcephile.fr',
+ blockDailyCheck: true,
+ defaultStorageLimit: 1024 * 1024 * 1024,
+
+ /* =====================
+ * STORAGE
+ * ===================== */
+ //inactiveTime: 90, // days
+ //archiveRetentionTime: 15,
+ maxUploadSize: 256 * 1024 * 1024,
+
+ /*
+ customLimits: {
+ "https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=": {
+ limit: 20 * 1024 * 1024 * 1024,
+ plan: 'insider',
+ note: 'storage space donated by my.awesome.website'
+ },
+ "https://my.awesome.website/user/#/1/cryptpad-user2/GdflkgdlkjeworijfkldfsdflkjeEAsdlEnkbx1vVOo=": {
+ limit: 10 * 1024 * 1024 * 1024,
+ plan: 'insider',
+ note: 'storage space donated by my.awesome.website'
+ }
},
- "https://my.awesome.website/user/#/1/cryptpad-user2/GdflkgdlkjeworijfkldfsdflkjeEAsdlEnkbx1vVOo=": {
- limit: 10 * 1024 * 1024 * 1024,
- plan: 'insider',
- note: 'storage space donated by my.awesome.website'
- }
- },
- */
-
- //premiumUploadSize: 100 * 1024 * 1024,
-
- /* =====================
- * DATABASE VOLUMES
- * ===================== */
- filePath: './datastore/',
- archivePath: './data/archive',
- pinPath: './data/pins',
- taskPath: './data/tasks',
- blockPath: './block',
- blobPath: './blob',
- blobStagingPath: './data/blobstage',
- logPath: './data/logs',
-
- /* =====================
- * Debugging
- * ===================== */
- logToStdout: false,
- logLevel: 'info',
- logFeedback: false,
- verbose: false,
- };
- '';
-};
-
-fileSystems."/var/lib/private/cryptpad" = {
- device = "${hostName}/var/cryptpad";
- fsType = "zfs";
-};
-
-services.sanoid.datasets = {
- "${hostName}/var/cryptpad" = {
- use_template = [ "snap" ];
- daily = 31;
+ */
+
+ //premiumUploadSize: 100 * 1024 * 1024,
+
+ /* =====================
+ * DATABASE VOLUMES
+ * ===================== */
+ filePath: './datastore/',
+ archivePath: './data/archive',
+ pinPath: './data/pins',
+ taskPath: './data/tasks',
+ blockPath: './block',
+ blobPath: './blob',
+ blobStagingPath: './data/blobstage',
+ logPath: './data/logs',
+
+ /* =====================
+ * Debugging
+ * ===================== */
+ logToStdout: false,
+ logLevel: 'info',
+ logFeedback: false,
+ verbose: false,
+ };
+ '';
};
-};
-services.syncoid.commands = {
- "${hostName}/var/cryptpad" = {
- sendOptions = "raw";
- target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/cryptpad";
+ fileSystems."/var/lib/private/cryptpad" = {
+ device = "${hostName}/var/cryptpad";
+ fsType = "zfs";
};
-};
-
-systemd.services.nginx = {
- #after = [ "cryptpad.service" ];
- #wants = [ "cryptpad.service" ];
- serviceConfig = {
- BindReadOnlyPaths = [
- "/var/lib/private/cryptpad:${cryptpad_root}"
- ];
- LogsDirectory = lib.mkForce [
- "nginx/${domain}/${srv}"
- ];
- };
-};
-
-services.nginx.virtualHosts.${main_domain} = {
- serverAliases = [ sandbox_domain ];
- forceSSL = true;
- useACMEHost = domain;
-
- # DOC: https://github.com/xwiki-labs/cryptpad/blob/master/docs/example.nginx.conf
- root = "${pkgs.cryptpad}/lib/node_modules/cryptpad";
-
- # The nodejs process can handle all traffic whether accessed over websocket or as static assets
- # We prefer to serve static content from nginx directly and to leave the API server to handle
- # the dynamic content that only it can manage. This is primarily an optimization
- locations."^~ /cryptpad_websocket" = {
- proxyPass = "http://[::1]:3100";
- proxyWebsockets = true;
+
+ services.sanoid.datasets = {
+ "${hostName}/var/cryptpad" = {
+ use_template = [ "snap" ];
+ daily = 31;
+ };
};
- locations."^~ /customize.dist/" = {
- # This is needed in order to prevent infinite recursion between /customize/ and the root
+ services.syncoid.commands = {
+ "${hostName}/var/cryptpad" = {
+ sendOptions = "raw";
+ target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/cryptpad";
+ };
};
- # try to load customizeable content via /customize/ and fall back to the default content
- # located at /customize.dist/
- # This is what allows you to override behaviour.
- locations."^~ /customize/".extraConfig = ''
- rewrite ^/customize/(.*)$ $1 break;
- try_files /customize/$uri /customize.dist/$uri;
- '';
- # /api/config is loaded once per page load and is used to retrieve
- # the caching variable which is applied to every other resource
- # which is loaded during that session.
- locations."= /api/config" = {
- proxyPass = "http://[::1]:3100";
+ systemd.services.nginx = {
+ #after = [ "cryptpad.service" ];
+ #wants = [ "cryptpad.service" ];
+ serviceConfig = {
+ BindReadOnlyPaths = [
+ "/var/lib/private/cryptpad:${cryptpad_root}"
+ ];
+ LogsDirectory = lib.mkForce [
+ "nginx/${domain}/${srv}"
+ ];
+ };
};
- # encrypted blobs are immutable and are thus cached for a year
- locations."^~ /blob/" = {
- root = cryptpad_root;
- extraConfig = ''
- ${add_headers}
- if ($request_method = 'OPTIONS') {
+ services.nginx.virtualHosts.${main_domain} = {
+ serverAliases = [ sandbox_domain ];
+ forceSSL = true;
+ useACMEHost = domain;
+
+ # DOC: https://github.com/xwiki-labs/cryptpad/blob/master/docs/example.nginx.conf
+ root = "${pkgs.cryptpad}/lib/node_modules/cryptpad";
+
+ # The nodejs process can handle all traffic whether accessed over websocket or as static assets
+ # We prefer to serve static content from nginx directly and to leave the API server to handle
+ # the dynamic content that only it can manage. This is primarily an optimization
+ locations."^~ /cryptpad_websocket" = {
+ proxyPass = "http://[::1]:3100";
+ proxyWebsockets = true;
+ };
+
+ locations."^~ /customize.dist/" = {
+ # This is needed in order to prevent infinite recursion between /customize/ and the root
+ };
+ # try to load customizeable content via /customize/ and fall back to the default content
+ # located at /customize.dist/
+ # This is what allows you to override behaviour.
+ locations."^~ /customize/".extraConfig = ''
+ rewrite ^/customize/(.*)$ $1 break;
+ try_files /customize/$uri /customize.dist/$uri;
+ '';
+
+ # /api/config is loaded once per page load and is used to retrieve
+ # the caching variable which is applied to every other resource
+ # which is loaded during that session.
+ locations."= /api/config" = {
+ proxyPass = "http://[::1]:3100";
+ };
+
+ # encrypted blobs are immutable and are thus cached for a year
+ locations."^~ /blob/" = {
+ root = cryptpad_root;
+ extraConfig = ''
${add_headers}
+ if ($request_method = 'OPTIONS') {
+ ${add_headers}
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'application/octet-stream; charset=utf-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ add_header Cache-Control max-age=31536000;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
- add_header 'Access-Control-Max-Age' 1728000;
- add_header 'Content-Type' 'application/octet-stream; charset=utf-8';
- add_header 'Content-Length' 0;
- return 204;
+ add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+ try_files $uri =404;
+ '';
+ };
+
+ # The "block-store" serves encrypted payloads containing users' drive keys
+ # these payloads are unlocked via login credentials.
+ # They are mutable and are thus never cached.
+ # They're small enough that it doesn't matter, in any case.
+ locations."^~ /block/" = {
+ root = cryptpad_root;
+ extraConfig = ''
+ ${add_headers}
+ add_header Cache-Control max-age=0;
+ try_files $uri =404;
+ '';
+ };
+
+ # ugly hack: disable registration
+ /*
+ locations."/register" = {
+ deny all;
}
- add_header Cache-Control max-age=31536000;
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
- add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
- try_files $uri =404;
- '';
- };
+ */
- # The "block-store" serves encrypted payloads containing users' drive keys
- # these payloads are unlocked via login credentials.
- # They are mutable and are thus never cached.
- # They're small enough that it doesn't matter, in any case.
- locations."^~ /block/" = {
- root = cryptpad_root;
- extraConfig = ''
- ${add_headers}
- add_header Cache-Control max-age=0;
- try_files $uri =404;
+ # The nodejs server has some built-in forwarding rules to prevent
+ # URLs like /pad from resulting in a 404. This simply adds a trailing slash
+ # to a variety of applications.
+ locations."~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)$".extraConfig = ''
+ rewrite ^(.*)$ $1/ redirect;
'';
- };
-
- # ugly hack: disable registration
- /*
- locations."/register" = {
- deny all;
- }
- */
-
- # The nodejs server has some built-in forwarding rules to prevent
- # URLs like /pad from resulting in a 404. This simply adds a trailing slash
- # to a variety of applications.
- locations."~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)$".extraConfig = ''
- rewrite ^(.*)$ $1/ redirect;
- '';
- extraConfig = ''
- access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
- error_log /var/log/nginx/${domain}/${srv}/error.log warn;
+ extraConfig = ''
+ access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
+ error_log /var/log/nginx/${domain}/${srv}/error.log warn;
- index index.html;
- error_page 404 /customize.dist/404.html;
+ index index.html;
+ error_page 404 /customize.dist/404.html;
- # add_header will not set any header if it is emptystring
- set $cacheControl "";
- # any static assets loaded with "ver=" in their URL will be cached for a year
- if ($args ~ ver=) {
- set $cacheControl max-age=31536000;
- }
+ # add_header will not set any header if it is emptystring
+ set $cacheControl "";
+ # any static assets loaded with "ver=" in their URL will be cached for a year
+ if ($args ~ ver=) {
+ set $cacheControl max-age=31536000;
+ }
- set $unsafe 0;
- # the following assets are loaded via the sandbox domain
- # they unfortunately still require exceptions to the sandboxing to work correctly.
- if ($uri = "/pad/inner.html") { set $unsafe 1; }
- if ($uri = "/sheet/inner.html") { set $unsafe 1; }
- if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
+ set $unsafe 0;
+ # the following assets are loaded via the sandbox domain
+ # they unfortunately still require exceptions to the sandboxing to work correctly.
+ if ($uri = "/pad/inner.html") { set $unsafe 1; }
+ if ($uri = "/sheet/inner.html") { set $unsafe 1; }
+ if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
- # Everything except the sandbox domain is a privileged scope,
- # as they might be used to handle keys
- if ($host != "${sandbox_domain}") { set $unsafe 0; }
+ # Everything except the sandbox domain is a privileged scope,
+ # as they might be used to handle keys
+ if ($host != "${sandbox_domain}") { set $unsafe 0; }
- # script-src specifies valid sources for javascript, including inline handlers
- set $scriptSrc "'self' resource: ${main_domain}";
+ # script-src specifies valid sources for javascript, including inline handlers
+ set $scriptSrc "'self' resource: ${main_domain}";
- # privileged contexts allow a few more rights than unprivileged contexts,
- # though limits are still applied
- if ($unsafe) {
- set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}";
- }
+ # privileged contexts allow a few more rights than unprivileged contexts,
+ # though limits are still applied
+ if ($unsafe) {
+ set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}";
+ }
- ${add_headers}
+ ${add_headers}
- # Finally, serve anything the above exceptions don't govern.
- try_files /www/$uri /www/$uri/index.html /customize/$uri;
- '';
-};
+ # Finally, serve anything the above exceptions don't govern.
+ try_files /www/$uri /www/$uri/index.html /customize/$uri;
+ '';
+ };
}
sourcephile / git / sourcephile-nix.git / blobdiff